reference is made to the united nations’ (“un”) letter dated 6 ... landingpage/bilag 22... ·...
TRANSCRIPT
g
Deloitte
Statsautoriseret Revisionspartnerselskab
CVR no.33 96 35 56
Weidekampsgade 6
P.O. Box 1600
0900 Copenhagen C
Phone +45 36 10 20 30
Fax +45 36 10 20 40
www.deloitte.dk
Deloitte Touche Tohmatsu Limited Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms,
and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”)
does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
21 December 2017
United Nations
Attn: Dmitri Dovgopoly, Director
Procurement Division
Dear Mr. Dovgopoly
Reference is made to the United Nations’ (“UN”) letter dated 6 September 2017
concerning the application for reinstatement with the UN Secretariat and letter
dated 17 November 2017 from the UN to Atea A/S (“Atea”) concerning its evalua-
tion of the proposed independent Ethics and Compliance Expert.
In the letter dated 17 November 2017 from the UN to Atea, Deloitte was appointed independent Ethics
and Compliance Expert and assigned to make an expert report based on a review of Atea’s Ethics and
Compliance Program, comprising the following elements:
i. Verification that the Ethics and Compliance Program contains all the Mandatory Elements and
is otherwise fully consistent with and enforceable under pertinent local, national or international
laws and conventions. If the Company believes that any of the Mandatory Elements are not ap-
plicable to the Company, or cannot be lawfully implemented by the Company, the Expert shall
provide a succinct explanation addressing the reasons therefor, including particular facts or legal
principles upon which the Expert relies.
The mandatory elements refer to the following:
i. Prohibition of Misconduct
ii. Appropriate Scope and Underlying Risk Assessment
iii. Corporate Responsibility (“Tone at the Top”).
iv. Corporate Oversight
v. Publishing the Ethics and Compliance Program
vi. Mandating Adherence to the Ethics and Compliance Program
vii. Training
viii. Advice and Reporting
2
ix. Prohibition of Retaliation for Reporting Misconduct
x. Accurate Books and Records
xi. Due Diligence and Monitoring of Business Associates
xii. Discipline and Incentive Measures
xiii. Remediation of Misconduct
xiv. Disclosure of OFFP-Related Proceedings.
ii. Verification that the Ethics and Compliance Program constitutes an effective set of policies,
procedures and other measures to engender ethical conduct and prevent Misconduct or violation
of applicable laws.
iii. Verification that the Company has adopted all additional provisions recommended by the Ex-
pert and otherwise addressed all gaps or insufficiencies identified by the Expert.
iv. Documentary evidence underlying the Ethics and Compliance Program and its adoption by the
Company. This must include, but not be limited to all documents constituting or reflecting the
Ethics and Compliance Program and its adoption such as standards and procedures, codes of
conduct, policies, internal controls, board or management minutes, job descriptions, training
materials, guidance materials, contract forms, corporate records and other relevant information
sufficient to demonstrate that the Company has adopted an effective Ethics and Compliance
Program. This must include all documentation and other materials upon which the Expert has
relied in reaching his or her conclusions.
v. The company’s schedule and plans for implementing the Ethics and Compliance Program.
vi. Confirmations that any Company Directors, officers, employees, agents, or business associates
who participated in any misconduct with regard to OFFP are no longer employed by, or other-
wise associated with, the Company.
In our view, Atea has designed, developed and implemented a strong Ethics and Compliance Program
and we are able to positively verify and confirm all of the above sections.
Please refer to the following pages for our detailed review of each of the sections.
Yours sincerely
Morten Egelund
Partner
3
The Expert’s Report and Supporting Documentation
The steps below refer to the mandatory elements set out in the letter dated 6 September 2017 from the
UN to Atea and specified in this letter on page 1-2. Based on the specifications from the UN, Deloitte
has commented and referred to the documentation which Atea has in place relating to the specific
mandatory elements.
i. Verification that the Ethics and Compliance Program contains all the Mandatory Ele-
ments and is otherwise fully consistent with and enforceable under pertinent local, nation-
al or international laws and conventions. If the Company believes that any of the Manda-
tory Elements are not applicable to the Company, or cannot be lawfully implemented by
the Company, the Expert shall provide a succinct explanation addressing the reasons
therefor, including particular facts or legal principles upon which the Expert relies.
The mandatory elements refer to the following:
i. Prohibition of Misconduct
Based on the occurrence of misconduct that was brought to Atea’s attention in 2015,
Atea has designed, developed and implemented an Ethics and Compliance Program
changing procedures and controls within the organization assuring both prevention
and detection. The compliance program sets out guidelines and requirements as well
as rules of internal behavior at Atea.
In the compliance program, Atea has designed and implemented the following poli-
cies and procedures that set the Ethics and Compliance agenda of the organization:
Corporate Governance
The Company’s Corporate Governance is on top of the Ethics and Compliance Pro-
gram; please refer to “Appendix 12: Corporate governance”. The Corporate Gov-
ernance outlines the broad and high-level guidelines for roles and responsibilities of
the Board, Management and various committees.
According to the Audit committee charter set forth in the Corporate Governance
document, the Audit committee shall:
“support the Board’s governance and oversight responsibilities for: Compliance
with Group policies and relevant laws”.
4
Furthermore, according to the Statement of Purpose, the Compliance committee
shall:
“provide assistance to the company’s management and the audit committee to ena-
ble Atea Group to continue to operate according to the highest ethical business
standards and in accordance with applicable law and regulations”.
The framework outlines the principles of the Board of Directors and management’s
aim to execute their respective tasks in accordance with the highest standards for
corporate governance. The principles are based on the applicable laws of Norway
and regulations set forth by the Oslo Stock Exchange and the Norwegian Code of
Practice for corporate governance. Norwegian law is used because the parent com-
pany of the Atea Group “Atea ASA” is listed on the Norwegian Stock Exchange.
The Company’s Corporate Governance also sets forth guidelines related to Risk
Management, internal controls, Ethics and financial reporting and outlines the
Charter and purpose of the Areas Compliance Committee, who shall provide assis-
tance to company management and the audit committee to enable Atea Group to
continue to operate according to the highest ethical business standards and in ac-
cordance with applicable law and regulation. The criteria for the composition of the
Compliance Committee and its responsibilities are also outlined in the Corporate
Governance document.
Ethics and Compliance Program
Below the Corporate Governance framework are several documents that jointly
shape and represent the Ethics and Compliance Program. The main documents
shaping the Ethics and Compliance Program are:
- The “Code of Conduct” - please refer to Appendix 1.
- The “Compliance Program” - please refer to Appendix 5.
- The “Annual Wheel” - please refer to Appendix 7.
- The “Compliance Policy” - please refer to Appendix 10.
The main documents outlined above will be described in detail below. Further-
more, we will make references throughout the report to other relevant policies and
documents supporting the Ethics and Compliance Program.
Code of Conduct
The “Code of Conduct” (hereinafter “the CoC”) reflects the “Tone at the top” and
outlines the responsibilities of every employee, consultant, subcontractor or other
party working on behalf of Atea, and it states a zero tolerance of violation of the
CoC. All employees must undergo a training in the CoC. The CoC outlines the re-
5
porting line in case of need for guidance, questions or reporting related to a chal-
lenging business, legal or ethical situation, or about a potential violation of the
CoC, law or business ethics by another Atea employee. The reporting line is to
consult the immediate manager, the Compliance Office or the confidential Whis-
tleblower Hotline. The section “Personal Conduct” in the CoC states that all em-
ployees must comply with applicable laws and regulations, even if these laws are
not expressly stated in the CoC. Violations of laws will not be tolerated. Corrup-
tion and bribery of any kind to business contacts, government agencies or other
third parties in order to influence a business decision or facilitate a legal/regulatory
process is prohibited and opposed by Atea. The “Internal Control” section of the
CoC states that transactions should be authorized according to the appropriate ap-
proval levels and that Atea’s financial and legal reporting shall comply with all ap-
plicable laws and regulations and be full, fair, accurate, timely and understandable.
In addition, the “Internal Control” section states that all Atea employees have a re-
sponsibility to safeguard the confidentiality of sensitive information related to
Atea, its employees and outside parties with whom Atea interacts.
According to the section “Social responsibility” in the CoC, Atea firmly opposes to
all forms of corruption and that Atea will work against corruption in all forms, in-
cluding extortion and bribery, in accordance with the UNGC principles.
Compliance Program
Atea has designed and implemented a document named Compliance Program,
please refer to Appendix 5. Atea’s Compliance Program is based on the Code of
Conduct, please refer to Appendix 1, and intended to work as an Anti-Bribery
Management System, enabling Atea to comply with the requirements of the UN
Global Compact, the UK Bribery Act and relevant legislation in the countries in
which Atea acts. Atea takes risk factors such as market place, products & services,
customers and competition into consideration when carrying out, monitoring and
updating the Compliance Program. The Compliance program is designed to focus
on and comply with the principles of the ISO 37001 certification (Anti-Bribery
management Systems). Additionally, Atea had set a strategic goal when developing
and implementing the Compliance Program of becoming ISO 37001 certified,
which was reached in December 2017 when Atea was awarded the 37001 certifica-
tion issued by Bureau Veritas (the first verification of any company in Denmark).
Please refer to Appendix 13 for a copy of the ISO 37001 certificate.
The Compliance Program describes the method for identification of risk areas and
includes a summary of the 13 areas currently identified as “Risk Areas”. Each risk
area contains the following elements:
6
Description of the area
Risk description
Employee group (who could be exposed to the risk or who has previously
been involved in incidents)
Probability (ratings from 1 to 5)
Impact (ratings from 1 to 5)
Risk elimination and controls (description of control in place)
Residual risk (residual risk after the effect of the implemented control(s))
Monitoring action (description of the monitoring actions planned for this risk
area and scheduled in the annual wheel)
Sanction options (types of corrective actions).
Annual Wheel
In the Compliance Program mentioned above, reference is made to an Annual
Wheel; please refer to Appendix 7. The Annual Wheel provides an overview and
serves as a schedule for each of the tasks required to be performed throughout the
year. The required activities are:
Monitoring and control of identified risks (every month)
Management meetings (once every quarter)
Compliance committee (once every quarter)
Evaluation of risk areas (once a year)
Changes to the business (every month)
Compliance advisory board (twice a year)
ISO certificate (once a year)
Risk descriptions (once a year)
Evaluation of the Compliance Officer’s role by the CFO (once a year)
Audit of the anti-bribery management system (once a year).
It is possible to add or remove Risk Areas throughout the year in case of major
changes to business operations, organization, competitive situation, etc. The Annu-
al Wheel keeps track of the current and historical Risk Areas. The actual Risk Are-
as are outlined and individually described in the Compliance Program; please refer
to Appendix 5.
Compliance Policy
The Compliance Policy, please refer to Appendix 10, outlines specific guidelines
for all Atea employees in Denmark for the prevention of corruption, bribery and
kickbacks in relation to the following areas which are described in detail:
7
Gifts
Hospitality
Travel
Customer events
Sponsorships and similar activities.
The policy guides the employees on when to consult, when to act and when and
where to report any signs of possible misconduct in relation to corruption, bribery,
etc.
We have verified that the Ethics and Compliance Program contains all the manda-
tory elements of a generally accepted international compliance program and that it
is fully consistent with and enforceable under local law.
ii. Appropriate Scope and Underlying Risk Assessment
The Code of Conduct, please refer to Appendix 1, is applicable to all Atea branches
and all employees, affiliates or third parties. Furthermore, the Compliance Policy,
please refer to Appendix 10, is applicable to all employees hired with Atea Den-
mark.
As part of establishing an ethics and compliance program, Atea established a task
force, which had to identify any potential areas of risk in business areas, with cus-
tomers, external parties, suppliers, etc. The task force included top management,
relevant sales directors and other employees from legal and financial functions.
Atea also invited external experts to the identification process, including Deloitte.
The task force held discussions, workshops, made analyses, internal inquiries and
received input from internal and external stakeholders. Initially, 17 Risk Areas
were identified, which were subsequently reduced to 13 key Risk Areas as of De-
cember 2017. The process, scheduling and responsibility of the Risk Assessment
and the monitoring, recording and tracking of current and historical Risk Areas are
documented in the Compliance Program and the Annual Wheel.
We have verified that Atea performs a continuous update of Risk Areas based on
the Risk Assessment.
iii. Corporate Responsibility (“Tone at the Top”).
Atea has implemented the CoC, please refer to Appendix 1, that sets the Compa-
ny’s “Tone at the Top”. Deloitte has verified that the Company’s CoC encourages
8
to ethical conduct and compliance with applicable laws and does not tolerate Mis-
conduct. The Ethics and Compliance program and all related policies and docu-
ments have been made available to all employees through the Company’s intranet
site, please refer to appendix 9: Screenshot from intranet, and to external stake-
holders through the Company’s official website. Top Management participates in
Compliance “Road shows”, which are presentations held by the Compliance Of-
ficer and the Legal and Compliance Director for Atea employees in branches
throughout Denmark, please refer to Appendix 8.
In June 2017, as a part of its ongoing statements in relation to Atea’s status of im-
plementing a compliance program, Deloitte commented on Atea’s top-level com-
mitment. Deloitte stated that top management has introduced many initiatives, such
as meetings with internal/external stakeholders, articles in internal and external
communication channels, town hall meetings, management meetings, strategy ses-
sions, compliance roadshows and a well-organized governance structure. Deloitte
also stated that a strong top-level commitment that set the tone at the top was pre-
sent in the organization, please refer to Deloitte’s statement as of June 2017: Ap-
pendix 45.
iv. Corporate Oversight
The Atea Group has created a Compliance function in the Legal department in
Denmark. This function covers and is responsible for all Danish subsidiaries. The
Compliance function reports directly to top management with reference to the CFO
and has the mandate to make any necessary decisions in order to adhere to the
Compliance Program. Top Management is overall responsible for the Anti-Bribery
Management System, but the Compliance Officer is responsible for the day-to-day
activities and maintenance. The Compliance Officer reports on a quarterly basis to
the Group Compliance Committee which reports to the Audit Committee. Based on
the information available, Deloitte’s assessment is that the Compliance Officer has
the necessary competencies and resources available, has adequate authority, access
to governing bodies and autonomy to perform the required assignments. Further-
more, the compliance function is also responsible for monitoring the Risk Areas
and creating monitoring reports for management for review and application of
sanctions, if needed.
We verify that Corporate Oversight is in place.
9
v. Publishing the Ethics and Compliance Program
All Atea policies, including the Compliance Policy (Anti-Corruption Policy),
guidelines and responsibilities and the Whistleblower Guide are uploaded on the
Company’s intranet site and made available to all employees. Please refer to Ap-
pendix 9: Atea Intranet. In addition, all employees are required to complete a train-
ing in the Company’s CoC, please refer to vii. Training section.
Furthermore, Deloitte has verified that the Company has made documents relevant
for the Ethics and Compliance Program available on their public website. The doc-
uments include:
Code of Conduct (CoC)
Supplier Code Of Conduct documents
Corporate Governance
Compliance Policy
Whistleblower scheme (direct and anonymous reporting lines).
Please refer to Appendix 46: Screenshot from Atea’s homepage.
We verify that the Ethics and Compliance Program has been published.
vi. Mandating Adherence to the Ethics and Compliance Program
Deloitte verifies that necessary clauses related to misconduct are included in em-
ployee contracts, please refer to Appendix 47: Clause in employee contract. Fur-
thermore, Atea has included the following material in contracts with third parties:
Code of Conduct, anti-corruption language, audit rights and terminations clauses.
For further details, please refer to section xi. Due Diligence and Monitoring of
Business Associates. Additionally, Atea was awarded the ISO37001-16 certification
in December 2017, please refer to Appendix 13: Certification.
We verify Adherence to the Ethics and Compliance Program.
vii. Training
Atea requests employees to complete training (e-learning) in CoC and compliance
policies once a year. The training is tracked by Compliance and reminders are sent
to employees who have not completed the training timely. Atea’s operational goal is
that at least 95% of all employees have completed and passed the training. The rea-
soning for not aiming at 100% is sick leave, maternity leave and also ongoing hiring
of new employees. The training is divided into four employee groups:
10
a) Leaders
b) Consultants
c) Sale
d) General Management.
Please refer to an extract from the training system (Knowledge portal) for the train-
ing records, Appendix 3. Furthermore, please refer to Appendix 4 and 11 for the
questions included in the test.
We verify that training in the Ethics and Compliance Program is performed.
viii. Advice and Reporting
For employees seeking advice or guidance, Atea has a compliance/legal department
in Atea Denmark that is open for all employees within normal working hours. Out-
side normal working hours, Atea has a hotline: [email protected] allowing em-
ployees to address questions and get guidance 24/7. In case of a need or wish to re-
port anonymously, Atea does have its whistleblower system, please refer to section
V. Remediation of Misconduct for more details. Besides this, Atea also uses its in-
tranet to upload policies and guidance, and it sends emails in plenum to advice on
hot topics and relevant subjects, please refer to Appendix 49: Emails sent out to em-
ployees.
We verify that Advice and Reporting is in place.
ix. Prohibition of Retaliation for Reporting Misconduct
In Atea’s whistleblower scheme or guide is stated that all data will be treated as
confidential. The reporting can be either anonymous or open, but either way, Atea
will not sanction an employee on behalf of a reporting, if this subsequently proves
to be unfounded, please refer to Appendix 18: Whistleblower scheme.
We verify prohibition of retaliation for Reporting Misconduct.
x. Accurate Books and Records
Atea has implemented financial controls and procedures to ensure that all financial
transactions are correct and complete and timely to ensure reliable accounting, in-
cluding prevention, detection and subsequent verification of intentional and unin-
tentional errors and deficiencies as well as compliance with applicable legislations.
The document Appendix 52: Financial controls describe the controls in place to re-
duce the bribery risk.
11
Furthermore, Deloitte is the financial auditor and is signing the annual report each
year after its review following Danish legislation on auditing. Please refer to Ap-
pendix 50: Statement from the auditors and the annual report, Appendix 51: Annu-
al Report. Atea is listed on the Oslo Stock Exchange and required to adhere to the
highest accounting and reporting standards.
We verify that accurate books and records are in place.
xi. Due Diligence and Monitoring of Business Associates
When engaging business associates, Atea divide these into three different groups:
strategic business partners, non-strategic business partners and local business
partners as the risk profile is handled differently for the three types.
Strategic business partners:
For the strategic group, these business associates are handled on a group level,
which means that category management in Denmark is not able to go forward
with a purchase without a group level approval. The associates classified as stra-
tegic are initially requested to complete a survey to uncover the associates’ own
risk management process and internal controls that are in place. Furthermore, the
associates are required to comply with the industry association’s code of conduct
EICC or similar industry code of conduct in which anti-bribery management
should be incorporated. Beside the survey and compliance with industry associa-
tion’s code of conduct, Atea is performing a Risk Assessment based on two pa-
rameters: Management system and transparency. The associates are ranked based
on the maturity of their internal management systems and the transparency of
these.
Non-strategic business partners:
For the non-strategic group, Atea performs the same process as mentioned for
strategic business partners, but without validating the parameters “management
system” and “transparency”. In 2016, Atea ran a pilot project concerning the im-
plementation of a risk-based approach to supplier management. In this project 32
partners were selected and validated through the EICC (Electronic Industry Citi-
zenship Coalition) online system on different parameters and plotted into a rank-
ing system. Deloitte has seen and validated this documentation. Because of confi-
dentiality and personal information, this documentation is not provided.
12
Local business partners:
The local business partners (in Denmark) is handled by the Danish procurement
department. Category management in Denmark has decided that all business part-
ners are required to sign a new agreement, in which they acknowledge to work
under the EICC code of conduct or similar industry code of conduct. The clause
and reference to standard can be found in section 3 in the contract form for busi-
ness partners. Please refer to Appendix 39 and 40: Contract templates.
The three types of business associates mentioned above are referred to in Appen-
dix 42: Supplier creation and Maintenance_APP.
In addition, before proceeding with the business partner, Atea follows a work in-
struction, please refer to Appendix 42: Supplier Creation and Maintenance - Work
Instruction. This guide explains the flow that needs to be followed to create a new
supplier in the system and ensures that all creations are reviewed and approved
and credit checked prior to creation.
When entering into a business relationship, Atea requires a contract between the
two parties to be in place. Please refer to templates that have been developed: Ap-
pendix 39 and Appendix 40. The contract outlines services, terms and conditions
as well as a clause regarding code of conduct, anti-corruption language, audit
rights and termination clauses.
With regard to monitoring third parties, this is a Risk Area identified in Atea’s in-
ternal document “Compliance Program”, please refer to Appendix 5. Third parties
are monitored on an annual basis, cf. the Annual Wheel, please refer to Appendix
7.
We verify that due diligence and monitoring of business associates are performed.
xii. Discipline and Incentive Measures
Atea performs both preventive and detective actions in relation to misconduct. The
preventive actions comprise e.g. trainings, policies and internal procedures. The de-
tective actions are based on compliance monitoring. The monitoring is based on a
Risk Assessment where 13 Risk Areas have been identified. The Annual Wheel sets
out when to perform the monitoring for each single risk. For each Risk Area, Atea
has specified in the Compliance Program, please refer to Appendix 5: Compliance
Program, the proceedings for collecting samples for the specific areas. Furthermore,
Deloitte has assisted Atea in developing a comprehensive monitoring program that
13
is completed for the selected samples per risk area. Based on testing of samples and
interviews with key stakeholders, a monitoring report is made and sent to the man-
agement team. Please refer to Appendix 19-37: Monitoring reports. Management is
adding its management response and applying sanctions, if needed. Atea has de-
scribed the process for sanctions in a guide: process for designing reports in relation
to monitoring, Appendix 14. If it is concluded that one or more employees are not
following internal procedures or policies, there are five possible outcomes:
- The employee receives a manual/procedure
- The employee is given a reprimand
- The employee receives a verbal warning
- The employee receives a written warning
- The employee is dismissed.
The guide outlines under each possible outcome when and why the specific out-
come is valid as a sanction.
We verify that discipline and incentive measures are in place.
xiii. Remediation of Misconduct
As outlined above, Atea has implemented a monitoring scheme which has been set
out in the Annual Wheel to validate whether there is any misconduct or other viola-
tions of policies and procedures. Beside the monitoring, Atea has also implemented
other measures for investigating misconduct and other violations. Atea has a whis-
tleblower system, to which both internal and external individuals can report. There
are three options for reporting:
- Report to your immediate leader
- Report to compliance - [email protected]
- Report anonymously via the whistleblower system.
Please refer to the description of the whistleblower system Appendix 18: Whistle-
blower scheme.
Based on these reports, Atea has started performing investigations, please refer to
Appendix 38: Investigation, where the procedure is described; because of confiden-
tiality these are not attached.
We verify that remediation of misconduct is performed.
14
xiv. Disclosure of OFFP-Related Proceedings
The abbreviation is assumed to be standing for “Oil For Food program”, which is
not applicable to Atea. Atea’s case and lawsuit are not related to OFFP and there-
fore regarded as non-applicable to this evaluation.
ii. Verification that the Ethics and Compliance Program constitutes an effective set of poli-
cies, procedures and other measures to engender ethical conduct and prevent Miscon-
duct or violation of applicable laws.
The compliance program comprises the following policies and procedures to prevent but also
detect misconduct:
- The “Code of Conduct”, please refer to Appendix 1.
- The “Compliance Program”, please refer to Appendix 5.
- The “Annual Wheel”, please refer to Appendix 7.
- The “Compliance Policy”, please refer to Appendix 10.
Please refer to section i. Prohibition of Misconduct for an in broader description of the poli-
cies.
Furthermore, Atea has implemented specific guidelines for high-risk areas, such as
- Supplier events abroad, please refer to Appendix 15.
- Foreign events, open events and open invitations, please refer to Appendix 16.
- Foreign events for groups, please refer to Appendix 17.
We verify that the Ethics and Compliance Program constitutes an effective set of policies,
procedures and other measures to engender ethical conduct and prevent misconduct or viola-
tion of applicable laws.
iii. Verification that the Company has adopted all additional provisions recommended by the
Expert and otherwise addressed all gaps or insufficiencies identified by the Expert.
Deloitte has not identified any gaps or insufficiencies requiring any additional actions by Atea.
iv. Documentary evidence underlying the Ethics and Compliance Program and its adoption
by the Company. This must include, but not be limited to all documents constituting or
reflecting the Ethics and Compliance Program and its adoption such as standards and
procedures, codes of conduct, policies, internal controls, board or management minutes,
job descriptions, training materials, guidance materials, contract forms, corporate rec-
ords and other relevant information sufficient to demonstrate that the Company has
15
adopted an effective Ethics and Compliance Program. This must include all documenta-
tion and other materials upon which the Expert has relied in reaching his or her conclu-
sions.
Please refer to the description under i., and the following references:
a. Standards and procedures and policies:
- “Compliance Program”, please refer to Appendix 5.
- “Compliance policy” please refer to Appendix 10.
- Supplier events abroad, please refer to Appendix 15.
- Foreign events, open events and open invitations, please refer to Appendix 16.
- Foreign events for groups, please refer to Appendix: 17
- “Corporate governance”, please refer to Appendix: 12.
- “Annual Wheel”, please refer to Appendix 7.
- “Guidance Supply chain”, please refer to Appendix 44.
- “How to handle third parties”, please refer to Appendix 41.
- “Supplier creations and maintenance”, please refer to Appendix 42.
- “Atea procurement agreement Presentation”, please refer to Appendix: 43.
b. Code of conduct:
- “Code of conduct” please refer to Appendix 1.
- “Supplier code of conduct”, please refer to Appendix 2.
c. internal controls:
- “Process monitoring”, please refer to Appendix: 14.
- “Financial controls”, please refer to Appendix: 52.
e: board and management minutes:
- “Board and management meetings”, please refer to Appendix: 37.
f: job descriptions:
- “Resource description compliance”, please refer to Appendix: 6.
g: training materials:
- Questions to compliance training”, please refer to Appendix 4 and 11.
h: guidance material
Please refer to a. standards and procedures and policies.
- “Compliance Roadshow”, please refer to Appendix: 8.
16
i: contract forms
- “Procurement agreement”, please refer to Appendix 39.
- “Atea consultant purchase agreement”, please refer to Appendix 40.
v. The company’s schedule and plans for implementing the Ethics and Compliance Program
Atea has implemented a compliance program comprising, inter alia, an Annual Wheel with ac-
tivities to be performed each single month of the year. The Annual Wheel is based on a Risk
Assessment, where 13 risk areas have been identified. For these 13 Risk Areas, the Annual
Wheel outlines in which month the specific Risk Area has to be tested. Thus, e.g. “ud-
landsrejser” (travels abroad) will be monitored in May and November every year. Besides the
ongoing monitoring of the 13 identified Risk Areas, the Annual Wheel also outlines that man-
agement meetings and compliance committee meetings have to be held once every quarter.
Furthermore, the Wheel includes the element “update of the compliance program”, which con-
sists of an evaluation of the identified Risk Areas (once a year), updates to the compliance
program based on business changes (ongoing every month), compliance advisory board (twice
a year), continued maintenance of obtained ISO certificate 37001-16 and risk descriptions
(once a year). The last elements of the Annual Wheel are “evaluation of the Compliance Of-
ficer's role by top management”, “audit of the organization’s anti-bribery management sys-
tem” and, not least, “training and education of employees within the organization” (once a
year).
Please refer to the “Appendix 7: Annual Wheel”. Furthermore, please refer to i. for a more de-
tailed description of the performed activities mentioned in the Annual Wheel.
vi. Confirmations that any Company Directors, officers, employees, agents, or business asso-
ciates who participated in any misconduct with regard to OFFP are no longer employed
by, or otherwise associated with, the Company.
Deloitte has verified that all employees charged with fraud or bribery as described in the in-
dictment have been terminated. Furthermore, we have requested the HR Director to verify that
all of the employees involved are no longer employed with Atea, please refer to “Appendix
48: HR Director”. Because of confidentiality we have not included any names in this section.
JAA/ach
T:\Afd1180\ATEA 150158\2017\United Nations_expert report FINAL 211217.docx